Marcher Trojan Uses New Tactic to Infect Android Users

A fraudulent Adobe Flash installer package is a pathway to infection and potential financial losses by way of the Marcher Trojan.

Security firm Zscaler is warning about a new variant of the Android Marcher Trojan that is using Adobe Flash and adult content sites as a way to trick users into becoming infected and giving up financial information.

There are a lot of different vulnerabilities in Adobe Flash—in fact, Adobe just updated for 23 new vulnerabilities this week—but the new Android Marcher Trojan isn’t using an authentic version of Flash or exploiting vulnerabilities that Adobe has already patched. Rather, the Android Marcher Trojan uses a fake version of an Adobe Flash Player installer to infect users.

“The majority of the Marcher Trojan downloads that we are blocking in the cloud are from porn sites,” Deepen Desai, head of security research at Zscaler, told eWEEK. This appears to be a popular social engineering tactic where the user is prompted to install the Flash Player update to view the porn video and the attack cycle can start with an email or SMS.”

The email or SMS message that an infected user will get directs the user to the Google Play store to download an app called X-VIDEO. Users are asked to enter their payment card information in order to get access to X-VIDEO, even though the app is free. The fake payment page does say that “you will not be charged unless you make a purchase,” Desai said.

“We did not see anything malicious in X-VIDEO, and this was also confirmed by Google’s Android team,” he said. “However, this may be a tactic to further convince the user into entering the payment information on the fake Google Play payment page to complete the account setup and download this porn app.”

Desai said Zscaler was able to capture and identify the new Marcher campaign using the Zscaler cloud platform. He added that Zscaler’s in-line antivirus and cloud sandbox ensured protection for its customers. At this early stage, Zscaler has blocked more than 50 payloads from this new Marcher campaign, he said.

The new Marcher Trojan specifically is targeting Android users, and even a fully patched Android isn’t enough to stop it. Google issued its March update for Android earlier this week, providing patches for 19 new vulnerabilities.

“This malware will work fine on the latest Android operating systems provided the user clicks and installs the package, which is usually successful due to the porn lure,” Desai said.

Even though a fully patched Android operating system is still at risk, Desai said there are likely a few things that Google could do to limit the risk to users who click on the malicious link.

“Google may be able to track the download attempts for the X-VIDEO app that comes from the malicious link ‘mms-service[.]info/mms’ redirect to the Google Play store,” Desai said. “This can further be used in identifying and notifying the users of all the compromised Android devices that have installed X-VIDEO due to Marcher Trojan infection.”